Appsec improvement and fixes after merge (#2645)

This commit is contained in:
AlteredCoder 2023-12-08 10:25:00 +01:00 committed by GitHub
parent 518c7f178a
commit b1f85693c2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 28 additions and 21 deletions

View file

@ -298,8 +298,9 @@ func (r *AppsecRunner) handleRequest(request *appsec.ParsedRequest) {
request.IsInBand = true
request.IsOutBand = false
//to measure the time spent in the Application Security Engine
startParsing := time.Now()
//to measure the time spent in the Application Security Engine for InBand rules
startInBandParsing := time.Now()
startGlobalParsing := time.Now()
//inband appsec rules
err := r.ProcessInBandRules(request)
@ -308,13 +309,14 @@ func (r *AppsecRunner) handleRequest(request *appsec.ParsedRequest) {
return
}
// time spent to process in band rules
inBandParsingElapsed := time.Since(startInBandParsing)
AppsecInbandParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddrNormalized}).Observe(inBandParsingElapsed.Seconds())
if request.Tx.IsInterrupted() {
r.handleInBandInterrupt(request)
}
elapsed := time.Since(startParsing)
AppsecInbandParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddr}).Observe(elapsed.Seconds())
// send back the result to the HTTP handler for the InBand part
request.ResponseChannel <- r.AppsecRuntime.Response
@ -325,12 +327,23 @@ func (r *AppsecRunner) handleRequest(request *appsec.ParsedRequest) {
r.AppsecRuntime.Response.SendAlert = false
r.AppsecRuntime.Response.SendEvent = true
//to measure the time spent in the Application Security Engine for OutOfBand rules
startOutOfBandParsing := time.Now()
err = r.ProcessOutOfBandRules(request)
if err != nil {
logger.Errorf("unable to process OutOfBand rules: %s", err)
return
}
// time spent to process out of band rules
outOfBandParsingElapsed := time.Since(startOutOfBandParsing)
AppsecOutbandParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddrNormalized}).Observe(outOfBandParsingElapsed.Seconds())
// time spent to process inband AND out of band rules
globalParsingElapsed := time.Since(startGlobalParsing)
AppsecGlobalParsingHistogram.With(prometheus.Labels{"source": request.RemoteAddrNormalized}).Observe(globalParsingElapsed.Seconds())
if request.Tx.IsInterrupted() {
r.handleOutBandInterrupt(request)
}

View file

@ -6,7 +6,7 @@ var AppsecGlobalParsingHistogram = prometheus.NewHistogramVec(
prometheus.HistogramOpts{
Help: "Time spent processing a request by the Application Security Engine.",
Name: "cs_appsec_parsing_time_seconds",
Buckets: []float64{0.0005, 0.001, 0.0015, 0.002, 0.0025, 0.003, 0.004, 0.005, 0.0075, 0.01},
Buckets: []float64{0.005, 0.01, 0.025, 0.050, 0.1, 0.2, 0.3, 0.4, 0.5, 1},
},
[]string{"source"},
)
@ -15,7 +15,7 @@ var AppsecInbandParsingHistogram = prometheus.NewHistogramVec(
prometheus.HistogramOpts{
Help: "Time spent processing a request by the inband Application Security Engine.",
Name: "cs_appsec_inband_parsing_time_seconds",
Buckets: []float64{0.0005, 0.001, 0.0015, 0.002, 0.0025, 0.003, 0.004, 0.005, 0.0075, 0.01},
Buckets: []float64{0.005, 0.01, 0.025, 0.050, 0.1, 0.2, 0.3, 0.4, 0.5, 1},
},
[]string{"source"},
)
@ -24,7 +24,7 @@ var AppsecOutbandParsingHistogram = prometheus.NewHistogramVec(
prometheus.HistogramOpts{
Help: "Time spent processing a request by the Application Security Engine.",
Name: "cs_appsec_outband_parsing_time_seconds",
Buckets: []float64{0.0005, 0.001, 0.0015, 0.002, 0.0025, 0.003, 0.004, 0.005, 0.0075, 0.01},
Buckets: []float64{0.005, 0.01, 0.025, 0.050, 0.1, 0.2, 0.3, 0.4, 0.5, 1},
},
[]string{"source"},
)

View file

@ -63,18 +63,7 @@ func AppsecEventGeneration(inEvt types.Event) (*types.Event, error) {
alert.Meta = append(alert.Meta, &meta)
}
}
for _, key := range evt.Appsec.MatchedRules.GetMatchedZones() {
valueByte, err := json.Marshal([]string{key})
if err != nil {
log.Debugf("unable to serialize key %s", key)
continue
}
meta := models.MetaItems0{
Key: "matched_zones",
Value: string(valueByte),
}
alert.Meta = append(alert.Meta, &meta)
}
alert.EventsCount = ptr.Of(int32(1))
alert.Leakspeed = ptr.Of("")
alert.Scenario = ptr.Of(inEvt.Appsec.MatchedRules.GetName())

View file

@ -2,6 +2,7 @@ package types
import (
"regexp"
"slices"
log "github.com/sirupsen/logrus"
)
@ -132,7 +133,11 @@ func (w MatchedRules) GetMatchedZones() []string {
ret := make([]string, 0)
for _, rule := range w {
ret = append(ret, rule["matched_zones"].([]string)...)
for _, zone := range rule["matched_zones"].([]string) {
if !slices.Contains(ret, zone) {
ret = append(ret, zone)
}
}
}
return ret
}